EU data protection officials, concerned about the illegal processing of personal data by Meta, have extended Norway’s ban on the global giant’s processing of personal data for “behavioural advertising” across the entire European Economic Area (EEA).
The European Data Protection Board (EDPB) said it had taken the “urgent binding decision” at Oslo’s request and had advised Meta that the EDPB ruling takes effect next week.
EDPB chair Anu Talus declared it was high time “for Meta to bring its processing into compliance and to stop unlawful processing.”
Behavioural advertising is the practice where companies process data culled from an individual’s online routines such as website browsing habits, mouse clicks and app usage to build profiles for targeting ads.
The EU privacy legislation known as the General Data Protection Regulation (GDPR) permits businesses to process personal data, but only in specific circumstances such as meeting legal obligations, saving an individual’s, in matters of public interest, or with a person’s “unambiguous consent”.
Tobias Judin, head of the international section responsible for Norwegian data protection, said Oslo had decided to put its foot down because of Meta’s lack of respect for the law. In mid-August, the Norwegian authorities imposed a daily fine of 1 million Norwegian kroner (roughly €85,000) on Meta over its targeted advertising.
Meta is contesting the Norwegian decision in court. Earlier this week, it announced that it would offer a subscription service for people in the EU, EEA, and Switzerland, which would enable them to use Facebook and Instagram without ads. An alternative would allow them free use of the platforms with “ads that are relevant to them”. It claimed that the EU’s latest decision was “unjustifiably” ignoring the proposed offer which it said amounted to a “careful and robust regulatory process.”
However, Norway’s Tobias Judin maintains that Meta’s proposed steps are unlikely to meet European legal standards. Consent would have to be freely given and that would not be the case if existing users were forced to choose between giving up their privacy rights or paying what amounted to a financial penalty for a subscription, he declared.
“Meta’s business model is at odds with the law and users’ fundamental rights, and Meta will not back down willingly,” he said in an email response to a media inquiry. “They continue with their unlawful activities to this very day, simply because breaking the law is so profitable.”
Norway’s data protection authorities estimate that Facebook and Instagram, Meta’s social media platforms, have over 250 million active users in the EU and EEA.
In May this year, Meta came under fire in the EU over data protection and was fined €1.2 billion by the Irish Data Protection Authority, the largest ever fine exacted under GDPR over Meta transferring personal data to the US.
Since the EU’s Digital Markets Act (DMA) came into play late last year, Meta and five other tech giants have been subject to legal obligations requiring their online platforms to allow users to access the data they generate, while prohibiting the tech companies from tracking users’ activity across the web.
